GD bbPress Toolbox 3.6.3 Pro – Security Release

GD bbPress Toolbox 3.6.3 Pro is a security release. It fixes Cross-Site Request Forgery (CSRF) issue that in very, very rare cases can lead to SQL injection attack. This is not a big security risk, but it is important to have all security related issues fixed.

This issue has been discovered in WordPress SEO by Yoast plugin few days ago, but there is no proof that any website is hacked using that security issue. And chances for that happening are very, very low because it can happen only if website administrator intentionally (while logged in) clicks on a link that is prepared for this type of exploit. So, this exploit can’t be used for mass hacking, it depends on administrator. This CSRF method uses sorting variables ‘order’ and ‘orderby’ received from URL to be used in SQL query. If not sanitized, they could be used to pass additional SQL queries. And to work, this SQL injection link must be created for a specific plugin, specific page in plugin admin settings, and attacked has to know which plugins you use, how these plugins operate to be able to tailor the URL for you. And on top of that attacker needs to convice you to click such link. So, very slim chance of this actually happening.

GD bbPress Toolbox Pro has 2 panels showing list of attachments and attachment errors. Both pages allow sorting for several columns. And, when building SQL query, plugin is using all proper checks and measures. But, there is no special check for order and orderby. With this new version plugin is sanitizing both variables by checking if the value is allowed, and if it is not what plugin expects, these values will be removed.

It is highly recommended that you update to this new 3.6.3 version as soon as possible because I believe that security issues need to be taken seriously and fixed as soon as possible. Your website is not in any danger as long as you do not blindly click links that look suspicions leading to you website admin side and coming from some third party source.

As usual, if you find any issues with this plugin, use the forums to report it, and include as much information as you can.